User, Identity and Authenticator

To fully configure and use Authgear, you need to understand 3 important concepts in Authgear's flexible yet powerful authentication system:

  • User

  • Identity

  • Authenticator

Combining identity and authenticators, Authgear can support a lot of different authentication needs such as, but not included to:

  • Simple email / username / phone sign in, with or without 2FA

  • Email or SMS Passwordless login

  • SSO login such as Google / Facebook etc

  • Phone sign in with Password as the 2nd factor like telegram or whatsapp

  • A lot more.


A user represents an entity who use your app, usually a person. Each user can have multiple identities.


Identities are the way users can identify themselves, such as username, email and phone. Identities could also came from an OAuth Provider such as Google/Facebook SSO, or Sign in with Apple.

Currently, Authgear support the following identity:

  • Email

  • Phone

  • Username

  • OAuth Provider:

    • Google

    • Facebook

    • Azure Active Directory

    • Linkedin

    • Sign in with Apple

  • Anonymous

Each identities have its configuration. For example email could be configured to block "+" or not, or if a username is case sensitive or not.

Email, Phone and Username identities automatically create the email, phone_number and preferred_username claims. OAuth Provider might create a email claim depends on if the user's email is provided.


Authenticators are the way a user with an identity can authenticate themselves, each user can multiple primary and secondary authenticators. If secondary are configured or required, a user need to authenticate itself against both to be signed in.

Currently Authgear support the following authenticators:

  • Primary Authenticators:

    • Password

    • One Time Passcode via Email or SMS (oob_otp)

  • Secondary Authenticators:

    • Password

    • TOTP (2FA token)

    • One Time Passcode via Email or SMS (oob_otp)

Secondary authentication could be optional (only if the user configured it) or required for all users.

Last updated